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Attorney Docket: 2202/50165 

PATENT 

IN THE UNITED STATES PATENT AND TRADEMARK OFFICE 



Applicant: JEAN-MARC DERY 

Serial No.: NOT YET ASSIGNED PCT NO.: PCT/FR99/02992 
Filed: JUNE 29, 2001 

Title: DEVICE AND METHOD FOR PROTECTING SENSITIVE DATA 
AND FRANKING MACHINE USING THEM 

PRELIMINARY AMENDMENT 

Box PCT 

Commissioner for Patents 
Washington, D.C. 20231 

Sir: 

Please enter the following amendments to the specification, 
claims and abstract prior to the examination of the application. 

IN THE SPECIFICATION : 

Please amend the specification as follows: 
Page 1, after the title, insert the following heading: 
--BACKGROUND AND SUMMARY OF THE INVENTION--. 

Page 2, between lines 18 and 19, insert the following 
heading : 

--BRIEF DESCRIPTION OF THE DRAWINGS--; and 

between lines 3 0 and 31, insert the following 

heading ; 

--DETAILED DESCRIPTION OF THE DRAWINGS--. 



Serial No. 

IN THE CLAIMS : 

Please amend claims 3, 6 and 7 as follows: 

(A copy of the marked-up version of amended claims are 
attached to this Preliminary Amendment) . 

3. (Amended) A protection method according to claim 1, 
characterized in that each routine operating on said data 
implements said verification operation (400) . 

6. (Amended) A protection device according to claim 4, 
characterized in that each routine operating on said data 
implements said verification system (104, 105, 106). 

7. (Amended) A franking machine (1) , characterized in that 
it includes a device according to claim 4 . 

Please add new claims 8-11 as follows: 

^ protection method according to claim 2, 
characterized in that each routine operating on said data 
implements said verification operation (400) . 

9. A protection device according to claim 5, characterized 
in that each routine operating on said data implements said 
verification system (104, 105, 106) . 
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10. A franking machine (1), characterized in that it 
includes a device according to claim 5. 

11. A franking machine (1), characterized in that it 
includes a device according to claim 6.-- 

IN THE ABSTRACT : 

Please add an Abstract of the Disclosure submitted herewith 
on a separate page. 
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REiyLARKS 

Entry of the amendments to the specification, claims and 
abstract before examination of the application is respectfully 
requested . 

If there are any questions regarding this Preliminary 
Amendment or this application in general, a telephone call to the 
undersigned would be appreciated since this should expedite the 
prosecution of the application for all concerned. 

It is respectfully requested that, if necessary to effect 
a timely response, this paper be considered as a Petition for an 
Extension of Time sufficient to effect a timely response and 
shortages in other fees, be charged, or any overpayment in fees 
be credited, to the Account of Crowell & Moring, L.L.P., Deposit 
Account No. 05-1323 (Docket #2202/50165) . 

Respectfully submitted, 

June 29, 2001 



CROWELL 8c MORING, L.L.P. 
P.O. Box 143 00 
Washington, DC 20044-4300 
Telephone No . : (2 02) 628-8800 
Facsimile No.: (202) 628-8844 

JDS : pet 




Jeff re' 
Registra 
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No . 32 , 169 
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-- ABSTRACT OF THE DISCLOSURE 

The invention concerns a method for protecting data 
sensitive to the use of a routine acting on the data. It 
comprises an operation, performed by said routine, an operation 
which consists in verifying the identity of each software task 
invoking said routine. Preferably, said verification operation 
comprises an operation which consists in reading an identifier 
of said task and an operation which consists in comparing said 
identifier with predetermined identifiers.-- 
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VERSION WITH MARKINGS TO SHOW CHANGES MADE 

Please amend claims 3, 6 and 7 as follows: 

3. (Amended) A protection method according to [either] 
claim 1 [or claim 2] , characterized in that each routine 
operating on said data implements said verification operation 
(400) . 

6. (Amended) A protection device according to [either] 
claim 4 [or claim 5] , characterized in that each routine 
operating on said data implements said verification system (104, 
105, 106) . 

7. (Amended) A franking machine (1) , characterized in that 
it includes a device according to [any of claims 4 to 6] claim 
4 . 
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Device and method for protecting sensitive data and 
franking machine using them 

The present invention relates to a device and a 
method for protecting sensitive data and to a franking 
machine using them. 

It applies in particular to franking machines with 
a program running in a multitask environment and more 
generally to the protection of sensitive data, for example 
data representing amounts of money, or of sensitive tasks 
manipulating the sensitive data. 

In a multitask environment, each task can invoke 
each routine, regardless of the security necessary for said 
routine. In a franking machine, some tasks manipulate 
quantities representing amounts of money. In particular, 
the phases of operating or recharging a franking machine 
use the routines that manipulate amounts of money. 

The correct execution of each of these tasks must 
be guaranteed. By "correct execution" is meant the fact 
that a task executes in the normal context of operation of 
the machine. In other words, the invention seeks to 
prevent that sensitive data be degraded or modified 
inopportunely . 

To this end, the present invention aims to have at 
least one routine operating on sensitive data verify the 
identity of tasks that invoke it. 

Accordingly, if an unauthorized task attempts to 
invoke said routine, the latter can limit its execution and 
therefore prevent harm to the sensitive data concerned. 

According to a first aspect, the present invention 
provides a method of protecting sensitive data against use 
of a routine operating on said data, characterized in that 
it includes an operation of verifying the identity of each 
software task calling said routine, which operation is 
implemented by said routine. 
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Thanks to these features, if an unauthorized task 
is used to access said routine which uses sensitive data, 
on verifying its identity, that routine detects that it is 
not authorized and it prevents access to the sensitive data 
concerned. 

In the case of a franking machine, for example, the 
routines concerned include the routine for incrementing the 
counter for the franking amount consumed and decrementing 
the counter for the remaining available franking amount and 
the routine for incrementing the counter for the number of 
franking operations effected. 

In accordance with particular features, said 
verification operation includes an operation of reading an 
identifier of said task and an operation of comparing said 
identifier with predetermined identifiers. 

Thanks to these features, all the tasks authorized 
to use the routine in question are identified in 
particular list, which facilitates programming the routine 
and updating the programming. 

According to other particular features, each 
routine operating on said data implements said verification 
operation. 

Thanks to these features, whichever routine 
attempts to access the sensitive data, the protection 
offered by the present invention is assured by said 
routine . 

According to a second aspect, the present invention 
provides a device for protecting sensitive data against use 
of a routine operating on said data, characterized in that 
it includes a verification system adapted to verify the 
identity of each software task calling said routine, said 
verification system being implemented by said routine. 

The invention also provides a franking machine 
characterized in that it includes a device as succinctly 
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described above . 

The invention is also directed to: 

- a system for storing information readable by a 
computer or a microprocessor storing instructions of a 
computer program, characterized in that it enables to 
implement the method according to the invention as 
succinctly described hereinabove, and 

- a partly or completely removable system for 
storing information readable by a computer or a 
microprocessor storing instructions of a computer program, 
characterized in that it enables to implement the method 
according to the invention as succinctly described 
hereinabove . 

The above device, the above franking machine and 
the above storage system having the same particular 
features and the same advantages as the method succinctly 
described hereinabove, the advantages are not described 
again here. 

Other advantages, objects and features will emerge 
from the following description, which is given with 
reference to the accompanying drawings, in which: 

- figures lA and IB are respectively a plan view 
and an elevation view of a franking machine using the 
device and the method of protecting data which are the 
subject-matter of the invention, 

- figure 2 represents schematically an electronic 
circuit incorporated in the franking machine shown in 
figures lA and IB, and 

- figure 3 shows an operation algorithm of the 
electronic circuit shown in figure 2. 

The franking machine 1 shown in the drawings 
(figures lA and IB) includes a device for printing a 
franking mark and an optional destination address on a flat 
object such as a letter 2. 

In order to print the franking mark in the 
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standardized place provided for this purpose, the letter 2 
must be passed through a corridor 5 included in the machine 
1, said corridor being delimited by members fastened to the 
frame, respectively a sliding support 6 which forms the 
5 ceiling of the corridor 5, a table 7 which forms its floor, 
and a ramp which forms a lateral limit thereof, the 
corridor being open at the end opposite the ramp. 

In order to insert the letter 2 into the corridor 
5, the letter is placed on the part of the table 7 which 

10 projects on the insertion side (the side seen on the left 
in figure IB) , after which the letter is inserted into the 
corridor 5, as shown in figures lA and IB, until it is 
driven by the means provided for this purpose in the 
machine 1. The printing of the franking mark is performed 

15 automatically while the letter 2 is driven in the corridor 
5, the franked letter being expelled from the machine at 
the other end of the corridor 5 (the end seen on the right 
in figure IB) . 

For driving the letter 2, the machine 1 includes 

20 two rollers 9 and 10, each passing through an opening in 
the table 1 , and respective pressure rollers 12 and 13 for 
the rollers 9 and 10, each passing through an opening in 
the support 6 . 

The rollers 9 and 10 are rot at ably mounted with 

25 respect to the frame of the machine 1, through a suspension 
system 14 shown diagrammatically in figure IB. 

The pressure rollers 12 and 13 are rotatably 
mounted on the frame of the machine 1 , without being 
suspended therefrom. An electric motor, not shown, is used 

3 0 to drive synchronous rotation of the pressure rollers 12 
and 13, for example through a belt (not shown) running 
around three pulleys respectively carried by the motor, the 
pressure roller 12 and the pressure roller 13. 

Because the suspension system 14 urges the rollers 

35 9 and 10 toward the support 6, and therefore toward the 
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pressure rollers 12 and 13, the rollers 9 and 10 are driven 
by friction against the pressure rollers 12 and 13, either 
directly or through an object passing through the machine 
1, such as the letter 2, 
5 When the letter 2 is inserted into the corridor 5 

in the manner shown in figure IB, it eventually encounters 
the roller 9 and then the pressure roller 12, which drives 
it in the direction indicated in figure IB by the 
horizontal arrow oriented from left to right. At the same 

10 time, the roller 9 is lowered whereas the letter 2 is 
inserted between the rollers 9 and 12, so that the letter 2 
moves forward in the machine 1 with its face 4 to be 
printed pressed against and sliding along the surface 17 of 
the sliding support 6 . 

15 For printing the franking mark in its corresponding 

standardized place and/or the destination address in its 
corresponding standardized place, the machine 1 includes a 
printing system 19, shown quite diagrammatically in figures 
lA and IB, 

20 Generally speaking, the printing system 19 applies 

the franking mark while the letter 2 or the object to be 
franked is travelling through the machine 1 with its face 
to be printed pressed against the surface 17 of the sliding 
support 6, the printing system 19 being located between the 

25 pressure rollers 12 and 13. 

In the example shown, the printing system 19 is 
mounted directly on the frame of the machine and is 
therefore fixed relative to the sliding support 6. 

In order for the printing system 19 to be 

3 0 controlled synchronously with forward movement of the 
object in the machine, there is provided a detector 
(referenced 110 in figure 2) of the presence of the object 
which triggers a printing process running automatically. 

To be more precise, there is a first presence 

35 detector that causes the motor (not shown) to be started 
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when an object begins to be inserted into the machine 1, 
and a second presence detector (not shown) that triggers 
the printing process when the object has reached a 
predetermined location. 
5 Figure 2 shows an electronic circuit for 

controlling the device has shown in figures lA and IB. The 
circuit 100 is illustrated in the form of a block diagram. 
It includes, connected together by an address and data bus 
102 : 

10 - a central processing unit 106, 

a random access memory (RAM) 104, 

a read-only memory (ROM) 105, 

an input/output port 103 for receiving: 

• the weight of the postal object to be franked, and 
15 • detection of the postal object by each of the 

detectors (not shown in the figures) , 
and for transmitting : 

• motor control signals, 

and, independently of the bus 102 : 
2 0 - stepper motors 10 9; 

presence detectors 110; 

a display screen 108 connected to the input/output 
port 103, 

scales 112 connected to the input/output port 103 and 
2 5 supplying bytes representing the weight of a postal 

obj ect , 

a keypad 101 connected to the input/output port 103 
and supplying bytes representing successively pressed 
keys of the keypad, and 
30 - a printing controller 120 controlling the operation of 
the printing sytem 19. 

Each of the components shown in figure 2 is well 
known to the person skilled in the art of franking machines 
having a microprocessor circuit and, more generally, 
35 information processing systems. Those components are 
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therefore not described here . 

The random- access memory 104 stores data, variables 
and intermediate processing results in memory registers 
which, in the remainder of the description, carry the same 
5 name as the data whose value they store. The random- access 
memory 104 includes notably registers storing information 
representing the weight of the postal object to be franked, 
the format of the postal object currently being processed, 
the number of postal objects in the batch currently being 

10 processed, up-counter and down-counter values that 
correspond to franking amounts already applied and 
remaining to be applied before recharging the machine. The 
latter registers operate according to techniques that are 
known in the field of franking machines (during each 

15 franking operation, when the down-counter amount is greater 
than the amount of the franking mark to be applied, it is 
decremented by the amount of that mark and the up-counter 
is incremented by the same amount) . 

The read-only memory 105 is adapted to store the 

20 operating program of the central processing unit 106 in a 
register labeled "progra.ml" , and the data needed for 
operation of that program as well as a correspondence table 
relating weights and franking amounts. 

The read-only memory 105 also stores in a register 

25 labeled " identifier_list" a list of identifiers of software 
tasks authorized to access the routines that use sensitive 
data (e.g. franking amounts). 

The memory 105 referred to as a "read-only memory" 
is in fact a rewriteable memory that is not erased when the 

30 device is turned off. It can be rewritten only by 
authorized personnel using secure procedures, so that for 
the everyday user it is just like a read-only memory. 

The central processing unit 106 is adapted to use 
the program stored in read-only memory 105. An operating 

35 algorithm of that program is shown in figure 3. 
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The software (program) of the franking machine is a 
multitask software, which implies allocation by the 
processor of a memory space (stack) associated with each 
task . This memory space is included in the random access 
5 memory 104. 

During an operation 301: 

- the electronic card 10 is initialized by the 
central processing unit 106, using known techniques, and 

- the central processing unit 106 assigns an 
10 identifier (e.g. a number) to each task of the application. 

During an operation 302, the central unit 106 runs 
a program portion that does not necessitate any call to a 
routine using sensitive data. 

During an operation 3 03, the central unit 106 

15 implements a task that calls one of the routines that use 
sensitive data. 

During an operation 304, the routine 400 in 
question (shown in dashed line) reads the identifier of the 
task currently being run by calling a so-called "system" 

20 routine of a known type, intended for that read operation. 

Then, during a test 3 05, the routine 400 compares 
the identifier of the task to the content of the list of 
identifiers stored in the read-only memory 105 and 
determines whether that task identifier is in the list. 

25 When the result of the test 305 is positive, the 

task is authorized to access the routine and the use of 
sensitive data is executed during an operation 306. The 
central unit 106 then returns to the operation represented 
by the reference 3 02. 

3 0 When the result of the test 305 is negative, the 

task is not authorized to access the routine. The 
operation of the central unit 106 is then stopped, and an 
alarm is tripped (operation 3 07) , until the franking 
machine is powered down (operation 3 08) . 

35 Thus, the method of protecting sensitive data 
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against use of a routine operating on said data, provided 
by the present invention, includes an operation 400 of 
verifying the identity of each software task calling said 
routine, which operation is implemented by said routine. 
5 Thus, thanks to the organization of the task 400, 

and in particular thanks to the monitoring of the identity 
of the tasks that call it, the modification of the 
sensitive data by means of this routine is impossible. 

As a variant , the routines 400 (i.e. the routines 

10 that verify the identity of the task calling them before 
accessing sensitive data) include not only the routines 
that access the franking amount counters but also routines 
operating on statistical data or operating parameters of 
the franking machine . 

15 In the embodiment described and shown, said 

verification operation 400 includes an operation 304 of 
reading an identifier of said task and an operation 3 05 of 
comparing said identifier with predetermined identifiers. 

In the embodiment described and shown, each routine 

20 operating on sensitive data implements said verification 
operation 40 0. 

The device for protecting sensitive data against 
use of a routine operating on said data is characterized in 
that it includes as a verification system the central unit 

25 106, associated with memories 104 and 105, for verifying 
the identity of each software task calling said routine, 
this verification system being implemented by said routine. 
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CLAIMS 

1, A method of protecting sensitive data against 
use of a routine operating on said data, characterized in 

5 that it includes an operation of verifying the identity of 
each software task calling said routine (400) , which 
operation is implemented by said routine. 

2, A protection method according to claim 1, 
characterized in that said verification operation (400) 

10 includes an operation of reading an identifier of said task 
(304) and an operation of comparing (305) said identifier 
with predetermined identifiers. 

3 , A protection method according to either claim 1 
or claim 2, characterized in that each routine operating on 

15 said data implements said verification operation (400) . 

4, A device for protecting sensitive data against 
use of a routine operating on said data, characterized in 
that it includes a verification system (104, 105, 106) 
adapted to verify the identity of each software task 

20 calling said routine, said verification system being 
implemented by said routine. 

5, A protection device according to claim 4, 
characterized in that said verification system (104, 105, 
106) includes a reading system (104, 105, 106) for reading 

2 5 an identifier of said task and a comparator system (104, 
105, 106) for comparing said identifier and predetermined 
identifiers . 

6, A protection device according to either claim 4 
or claim 5, characterized in that each routine operating on 

30 said data implements said verification system (104, 105, 
106) . 

7, A franking machine (1), characterized in that 
it includes a device according to any of claims 4 to 6 . 
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I acknowledge the duty to disclose information which is material to the examination of this 
application in accordance with Title 37, Code of Federal Regulations. § 1.56(a). 

I hereby claim foreign priority benefits under Title 35, United State Code, §119 of any foreign 
application(s) for patent or inventor's certificate or of any PCT international application(s) 
designating at least one country other than the United States of America listed below and have also 
identified below any foreign appHcation(s) for patent or inventor's certificate or any PCT 
international application(s) designating at least one country other than the United States of America 
filed by me on the same subject matter having a filmg date before that of the application(s) of which 
prionty is claimed: 



PRIOR FOREIGN/PCT APPLICATION(S) AND ANY PRIORITY CLAIMS UNDER 35 U.S.C. 119; 



COUNTRY 
(if PCT indicate PCT) 

FRANCE 



9816550 



APPLICATION NUMBER 



December 29, 1998 



DATE OF FILING 



(day, month, year) 



[ X ] Yes [ ] No 



PRIORITY CLAIMED 
UNDER 35 use 119 



[ ] Yes [ ] No 



[ ] Yes [ ] No 



[ ] Yes [ ] No 



[ ] Yes [ ] No 
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I hereby claim the benefit under Title 35, United States Code, §120 of any United States application(s) or PCT international apphcation(s) designating the 
United States of America that is/are listed below and, insofar as the subject matter of each of the claims of this application is not disclosed m that/those prior 
application(s) m the manner provided by the first paragraph of Title 35, United States Code, §112, 1 acknowledge the duty to disclose material information as 
defined in Title 37, Code of Federal Regulations, § 1.56(a) which occurred between the filing date of the prior application(s) and the national of PCT 
international filing date of this apphcation: 

PRIOR U.S. APPLICATIONS OR PCT INTERNATIONAL APPLICATIONS DESIGNATING THE U.S. FOR BENEFIT UNDER 35 U.S.C. 120 



U.S. APPLICATIONS 


STATUS rC/^ec/co^e; 


U.S. APPLICATION NUMBER 


U.S. FILING DATE 


PATENTED 


PENDING 


ABANDONED 
































PCT APPLICATIONS DESIGNATING THE U.S. 








PCT APPLICATION NO I 

1 


^CT FILING 
DATE 


U.S. SERIAL NUMBERS ASSIGNED (IF 
\NY) 












































POWER OF ATTORNEY: As a named inventor, I hereby appoint the following attomey(s) and/or agent(s) to prosecute this application and transact all 
business in the Patent and Trademark Office connected therewith. (List name and registration number) 

Herbert I. Cantor, Reg. No 24,392, James F McKeown, Reg. No. 25,406; Donald D. Evenson, Reg. No. 26,160; Joseph D Evans, Reg. No. 26,269; Gary R. 
Edwards, Reg. No 31,824, and Jeffrey D. Sanok, Reg. No 32,169 


Send Correspondence to: 

Crowell & Mormg, L.L.P. U^^X^a^-^.,^ ^ . ^-.l-^^ ^^ ^ U 
P.O. Box 14300 
Washington, D.C. 20044-4300 


Direct Telephone Calls to: 
(name and telephone number) 

(202) 628-8800 


201 


FULL NAME OF INVENTOR 


FAMILY NAME 

DERY 


FIRST GIVEN NAME 

Jean-Marc 


SECOND GIVEN NAME 


RESIDENCE & CITIZENSHIP 


CITY 

ASNIERES P~R^ 


STATE OR FOREIGN COUNTRY 

FRANCE 


COUNTRY OF CITIZENSHIP 

FRANCE 


POST OFFICE ADDRESS 


POST OFFICE ADDRESS 

2, rue Liouville 


CITY 

92600 ASNIERES 


STATE & ZIP CODE/COUNTRY 

FRANCE 


202 


FULL NAME OF INVENTOR 


FAMILY NAME 

L'HOTE 


FIRST GIVEN NAME 

Frederic 


SECOND GIVEN NAME 


RESIDENCE & CITIZENSHIP 


CITY 

PARIS F"R^ 


STATE OR FOREIGN COUNTRY 

FRANCE 


COUNTRY OF CITIZENSHIP 

FRANCE 


POST OFFICE ADDRESS 


POST OFFICE ADDRESS 

35, rae des Morillons 


CITY 

75015 PARIS 


STATE & ZIP CODE/COUNTRY 

FRANCE 


203 


FULL NAME OF INVENTOR 


FAMILY NAME 


FIRST GIVEN NAME 


SECOND GIVEN NAME 


RESIDENCE & CITIZENSHIP 


CITY 


STATE OR FOREIGN COUNTRY 


COUNTRY OF CITIZENSHIP 


POST OFFICE ADDRESS 


POST OFFICE ADDRESS 


CITY 


STATE & ZIP CODE/COUNTRY 


I hereby declare that all statements made herein of my own knowledge are true and that all statements made on information and belief are believed to be true: 
and further that these statements were made with the knowledge that willful false statements and the like so made are punishable by fine or imprisonment, or 
both, under section 1001 of Title 1 8 of the United States Code, and that such willful false statements may jeopardize the validity of the application or any 
patent issuing thereon. 


SIGNATURS-eJ^VENTOR 201 


SIGNATURE OF INVENTOR 202 


SIGNATURE OF INVENTOR 203 


DATE -^^of 




DATE 
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